<!doctype html><!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en-us" > <![endif]--><!--[if IE 7]>    <html class="no-js lt-ie9 lt-ie8" lang="en-us" >        <![endif]--><!--[if IE 8]>    <html class="no-js lt-ie9" lang="en-us" >               <![endif]--><!--[if gt IE 8]><!--><html class="no-js" lang="en-us"><!--<![endif]--><head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="author" content="Ofek Itach">
    <meta name="description" content=" Nautilus identified infrastructure in early stages of testing and deployment, of a cloud worm, designed to deploy on exposed JupyterLab and Docker APIs">
    <meta name="generator" content="HubSpot">
    <title>Threat Alert: Anatomy of Silentbob’s Cloud Attack</title>
    <link rel="shortcut icon" href="https://blog.aquasec.com/hubfs/PNG__2020%20Aqua%20Logomark%20Color.png">
    

    <script src="/hs/hsstatic/jquery-libs/static-1.1/jquery/jquery-1.7.1.js"></script>
<script>hsjQuery = window['jQuery'];</script>
    <meta property="og:description" content=" Nautilus identified infrastructure in early stages of testing and deployment, of a cloud worm, designed to deploy on exposed JupyterLab and Docker APIs">
    <meta property="og:title" content="Threat Alert: Anatomy of Silentbob’s Cloud Attack">
    <meta name="twitter:description" content=" Nautilus identified infrastructure in early stages of testing and deployment, of a cloud worm, designed to deploy on exposed JupyterLab and Docker APIs">
    <meta name="twitter:title" content="Threat Alert: Anatomy of Silentbob’s Cloud Attack">

    

    
    <style>
a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px}
</style>

<link rel="stylesheet" href="/hs/hsstatic/AsyncSupport/static-1.122/sass/comments_listing_asset.css">
<link rel="stylesheet" href="/hs/hsstatic/AsyncSupport/static-1.122/sass/rss_post_listing.css">
    <script type="application/ld+json">
{
  "mainEntityOfPage" : {
    "@type" : "WebPage",
    "@id" : "https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack"
  },
  "author" : {
    "name" : "Ofek Itach",
    "url" : "https://blog.aquasec.com/author/ofek-itach",
    "@type" : "Person"
  },
  "headline" : "Threat Alert: Anatomy of Silentbob’s Cloud Attack",
  "datePublished" : "2023-07-05T14:01:13.000Z",
  "dateModified" : "2023-07-05T19:10:36.323Z",
  "publisher" : {
    "name" : "Aqua Security",
    "logo" : {
      "url" : "https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/logo_aqua-2.svg",
      "@type" : "ImageObject"
    },
    "@type" : "Organization"
  },
  "@context" : "https://schema.org",
  "@type" : "BlogPosting",
  "image" : [ "https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Blog-Image--Cloud-worm-silent-bob-Recovered.jpg" ]
}
</script>


    
<!--  Added by GoogleAnalytics integration -->
<script>
var _hsp = window._hsp = window._hsp || [];
_hsp.push(['addPrivacyConsentListener', function(consent) { if (consent.allowed || (consent.categories && consent.categories.analytics)) {
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
  ga('create','UA-63272154-1','auto');
  ga('send','pageview');
}}]);
</script>

<!-- /Added by GoogleAnalytics integration -->


<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5N9T3H');</script>
<!-- End Google Tag Manager -->
<link rel="amphtml" href="https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack?hs_amp=true">

<meta property="og:image" content="https://blog.aquasec.com/hubfs/Blog-Image--Cloud-worm-silent-bob-Recovered.jpg#keepProtocol">

<meta name="twitter:image" content="https://blog.aquasec.com/hubfs/Blog-Image--Cloud-worm-silent-bob-Recovered.jpg#keepProtocol">


<meta property="og:url" content="https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack">
<!-- Google Search consolde tag -->
<meta name="google-site-verification" content="PIrdhYZitmfjtBPSTPmEnlarvsbAf1WzRIpARVTY6D0">

<!-- SEO - Images -->
<meta name="robots" content="max-image-preview:large">
<meta property="og:type" content="article">
<link rel="alternate" type="application/rss+xml" href="https://blog.aquasec.com/rss.xml">
<meta name="twitter:domain" content="blog.aquasec.com">
<meta name="twitter:site" content="@AquaSecTeam">

<meta http-equiv="content-language" content="en-us">
<link rel="stylesheet" href="//cdn2.hubspot.net/hub/7052064/hub_generated/template_assets/1688144897060/hubspot/hubspot_default/shared/responsive/layout.min.css">


<link rel="stylesheet" href="https://blog.aquasec.com/hs-fs/hub/1665891/hub_generated/template_assets/7511165869/1686823327504/Coded_files/Custom/page/Aqua_Theme_2019/aqua_theme_2019_styles.css">




</head>
<body class="blog custom-blog-post-page   hs-content-id-123313501283 hs-blog-post hs-blog-id-3657573699" style="">
    <div class="header-container-wrapper">
    <div class="header-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-global_group " style="" data-widget-type="global_group" data-x="0" data-w="12">
<div class="" data-global-widget-path="generated_global_groups/7511165832.html"><div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_153895222154164" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><!-- navbar_wrap starts -->
<div class="navbar_wrap">
<div class="container-fluid">
<div class="row-fluid">
<div class="page-center">
<div class="navbar-header"> 
<a class="navbar-brand" href="https://www.aquasec.com">Aqua Security</a>
<a href="#" id="menu-icon" aria-label="Click to open the mobile menu"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></a>
</div>
<nav class="navbar">
<ul id="main_menu_v2" class="nav navbar-nav">
<li class="menu-item"><a href="https://www.aquasec.com/products/aqua-cloud-native-security-platform/">Products</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/solutions/kubernetes-container-security/">Solutions</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/resources/">Resources</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/about-us/">Company</a></li>
</ul>
</nav>
<div class="header_ctas">
<a href="#" class="search_box" aria-label="Click to open the search form">Search</a>
<a href="https://cloud.aquasec.com/signin" class="type_txt" style="display:none;">Sign In</a>	
<a href="https://www.aquasec.com/demo/" class="type_btn">Try Aqua</a>	
</div>
<div class="search_box_wrap">						
<form action="https://blog.aquasec.com/hs-search-results" method="GET">
<input type="text" class="navbar_search_input" name="term" autocomplete="off" placeholder="Enter a keyword to search the blog">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="length" value="SHORT">
<input type="submit" class="navbar_submit_button" value="Search">
</form>
<div class="search_box_close"></div>
</div>
</div><!-- page-center -->
<!--<div class="search_box_wrap">
<div class="page-center">
<div>
<script type="text/javascript">
var customConfigId = '574643120';
var javasriptResourceUrl = 'https://ui.customsearch.ai/api/ux/render?customConfig=574643120&market=en-US&safeSearch=Moderate';
var s = document.createElement('script');
s.setAttribute('type', 'text/javascript');
s.id = 'bcs_js_snippet';
s.src = javasriptResourceUrl;
var scripts = document.getElementsByTagName("script"),
currentScript = scripts[scripts.length-1];
currentScript.parentElement.appendChild(s);
</script>
</div>
<div class="search_box_close"></div>
</div>
</div>-->
</div><!-- row-fluid -->
</div><!-- container-fluid -->
</div>
<!-- navbar_wrap ends --></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->
</div>
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1553358480707282" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><!-- header_title_wrap starts -->
<div class="header_title_wrap">
<div class="container-fluid">
<div class="row-fluid">
<div class="page-center">
<div class="row">
<div class="span10">
<a href="/"><div class="header_title">Aqua Blog</div></a>
<!--<div class="header_subtitle"></div>-->
</div>
</div>
</div>
</div><!-- row-fluid -->
</div><!-- container-fluid -->
<div class="generic_header_blue_waves_top"></div>
<div class="generic_header_blue_waves_bottom"></div>
<div class="bluewaves_bg_sunrays"></div>		
</div>
<!-- header_title_wrap ends --></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end header -->
</div><!--end header wrapper -->

<div class="body-container-wrapper">
    <div class="body-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-cell page-center content-wrapper" style="" data-widget-type="cell" data-x="0" data-w="12">

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span9 widget-span widget-type-cell blog-content" style="" data-widget-type="cell" data-x="0" data-w="9">

<div class="row-fluid-wrapper row-depth-1 row-number-3 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_content " style="" data-widget-type="blog_content" data-x="0" data-w="12">


<div class="custom-blog-post-content">
  <div class="blog-section">
    <div class="blog-post-wrapper cell-wrapper">

      <div class="section post-header">
        <div class="post-banner-image">
          <img srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Blog-Image--Cloud-worm-silent-bob-Recovered.jpg?width=480&amp;name=Blog-Image--Cloud-worm-silent-bob-Recovered.jpg 480w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Blog-Image--Cloud-worm-silent-bob-Recovered.jpg?width=870&amp;name=Blog-Image--Cloud-worm-silent-bob-Recovered.jpg 870w" sizes="(max-width: 600px) 480px, 870px" class="hs-image-widget" src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Blog-Image--Cloud-worm-silent-bob-Recovered.jpg?width=870&amp;height=421&amp;name=Blog-Image--Cloud-worm-silent-bob-Recovered.jpg" alt="Threat Alert: Anatomy of Silentbob’s Cloud Attack" width="870" height="421"> 
        </div>

        <div class="post-date">
          
          
<div class="small-author-profile-link">
  <div class="small-author-profile small-author-profile-with-avatar">
    
    
    
    
    
    

    
    
      <a href="/author/ofek-itach" class="small-author-avatar">
      <img src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=48&amp;height=48&amp;name=Ofek-Itach_SQ.jpg" alt="Picture of Ofek Itach" width="48" height="48" srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=24&amp;height=24&amp;name=Ofek-Itach_SQ.jpg 24w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=48&amp;height=48&amp;name=Ofek-Itach_SQ.jpg 48w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=72&amp;height=72&amp;name=Ofek-Itach_SQ.jpg 72w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=96&amp;height=96&amp;name=Ofek-Itach_SQ.jpg 96w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=120&amp;height=120&amp;name=Ofek-Itach_SQ.jpg 120w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=144&amp;height=144&amp;name=Ofek-Itach_SQ.jpg 144w" sizes="(max-width: 48px) 100vw, 48px">
      </a>
    
    
    
      <a href="https://blog.aquasec.com/author/assaf-morag" class="small-author-avatar">
      <img src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=48&amp;height=48&amp;name=Assaf%20M%20300x300.jpg" alt="Picture of Assaf Morag" width="48" height="48" srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=24&amp;height=24&amp;name=Assaf%20M%20300x300.jpg 24w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=48&amp;height=48&amp;name=Assaf%20M%20300x300.jpg 48w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=72&amp;height=72&amp;name=Assaf%20M%20300x300.jpg 72w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=96&amp;height=96&amp;name=Assaf%20M%20300x300.jpg 96w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=120&amp;height=120&amp;name=Assaf%20M%20300x300.jpg 120w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=144&amp;height=144&amp;name=Assaf%20M%20300x300.jpg 144w" sizes="(max-width: 48px) 100vw, 48px">
      </a>
    
    

    <div class="post-name-detail">
      <div class="small-author-name author-name-line">
        
        <a href="/author/ofek-itach">Ofek Itach</a>
        
        <a href="https://blog.aquasec.com/author/assaf-morag">Assaf Morag</a>
        
      </div>

      <div class="post-date-detail">
        July 05, 2023
      </div>
    </div>
  </div>
</div>

        </div>

        <h1><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">Threat Alert: Anatomy of Silentbob’s Cloud Attack</span></h1>
      </div>

      <div class="section post-body">
        <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p>Aqua Nautilus researchers identified an infrastructure of a potentially massive campaign against cloud native environments. This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm. We strongly believe that TeamTNT is behind this new campaign. In this blog, the first in our two part series, we will unfold the story of this being developed attack infrastructure, speculate on the threat actor and the potential results of such a campaign. &nbsp;</p> 
<h2>
 <!--more--><br>Integrated campaign on cloud resources</h2> 
<p>Our investigation was prompted by an attack on one of our honeypots. After examining the container image and the Docker Hub account, we identified four container images, including the one used in the attack on our honeypot:&nbsp;</p> 
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/graphic.png?width=900&amp;height=411&amp;name=graphic.png" alt="graphic" width="900" height="411" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/graphic.png?width=450&amp;height=206&amp;name=graphic.png 450w, https://blog.aquasec.com/hs-fs/hubfs/graphic.png?width=900&amp;height=411&amp;name=graphic.png 900w, https://blog.aquasec.com/hs-fs/hubfs/graphic.png?width=1350&amp;height=617&amp;name=graphic.png 1350w, https://blog.aquasec.com/hs-fs/hubfs/graphic.png?width=1800&amp;height=822&amp;name=graphic.png 1800w, https://blog.aquasec.com/hs-fs/hubfs/graphic.png?width=2250&amp;height=1028&amp;name=graphic.png 2250w, https://blog.aquasec.com/hs-fs/hubfs/graphic.png?width=2700&amp;height=1233&amp;name=graphic.png 2700w" sizes="(max-width: 900px) 100vw, 900px"></p> 
<p>Figure 1: Illustration of the relationships among the attacks</p> 
<p><span style="font-family: 'Courier New', Courier, monospace;">shanidmk/jltest2 </span>(updated: June 8, 2023): Its purpose is to detect exposed Jupyter Lab instances.</p> 
<p><span style="font-family: 'Courier New', Courier, monospace;">shanidmk/jltest</span> (updated: June 8, 2023): This image is used to compile Zgrab using the make command.</p> 
<p><span style="font-family: 'Courier New', Courier, monospace;">shanidmk/sysapp</span> (updated: May 25, 2023): This one seeks out and assaults exposed Docker Daemon instances.</p> 
<p><span style="font-family: 'Courier New', Courier, monospace;">shanidmk/blob</span> (updated: June 24, 2023): This container image is an updated version of sysapp and is intended to find exposed Docker Daemon instances. It releases a cryptominer and includes the Tsunami malware, which acts as a backdoor.</p> 
<p>We reported these container images to Docker Hub who promptly removed the malicious images from the public registry.</p> 
<p>In the sections below, we explore each of these container images and discuss the unique set of tools devised by the attacker.</p> 
<p><span style="text-decoration: underline;"><span style="font-weight: bold;"><span style="font-family: Arial, Helvetica, sans-serif;">shanidmk/jltest2</span> </span></span>(44 pulls)</p> 
<p>The first attack on our honeypot was launched in early June using this container image. Comprised of three layers, one layer includes a run.sh shell script designed to initiate when the container starts up.&nbsp;</p> 
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(44).jpg?width=900&amp;height=522&amp;name=carbon-(44).jpg" alt="carbon-(44)" width="900" height="522" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(44).jpg?width=450&amp;height=261&amp;name=carbon-(44).jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(44).jpg?width=900&amp;height=522&amp;name=carbon-(44).jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(44).jpg?width=1350&amp;height=783&amp;name=carbon-(44).jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(44).jpg?width=1800&amp;height=1044&amp;name=carbon-(44).jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(44).jpg?width=2250&amp;height=1305&amp;name=carbon-(44).jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(44).jpg?width=2700&amp;height=1566&amp;name=carbon-(44).jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p> 
<p>Figure 2 illustrates the run.sh shell script, programmed to commence upon the startup of the <span style="font-family: 'Courier New', Courier, monospace;">shanidmk/jltest2</span> container.</p> 
<p>As demonstrated in the figure 2 above, the process begins with the downloading of some packages to secure the necessary utilities for the environments. Following this, the ZGrab application is built and relocated to the <span style="font-family: 'Courier New', Courier, monospace;">/bin library</span>. It's crucial to note that ZGrab is an application layer scanner, developed with Go language, that enables the attacker to perform banner grabbing. This function will later assist the attacker in identifying Jupyter Lab and Docker API.</p> 
<p>Subsequently, the masscan tool scans and pipes the IP to be utilized by ZGrab for assessing whether there is an exposed Jupyter Lab instance operating at <span style="font-family: 'Courier New', Courier, monospace;">'http://Currently_found_IP_Address:8888/lab'</span>. The resulting information is organized and stored in the <span style="font-family: 'Courier New', Courier, monospace;">JupyterLab.txt file</span>, which is then transmitted to the attacker's C2 server through a specific command.&nbsp;</p> 
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(47).jpg?width=900&amp;height=75&amp;name=carbon-(47).jpg" alt="carbon-(47)" width="900" height="75" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(47).jpg?width=450&amp;height=38&amp;name=carbon-(47).jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(47).jpg?width=900&amp;height=75&amp;name=carbon-(47).jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(47).jpg?width=1350&amp;height=113&amp;name=carbon-(47).jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(47).jpg?width=1800&amp;height=150&amp;name=carbon-(47).jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(47).jpg?width=2250&amp;height=188&amp;name=carbon-(47).jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(47).jpg?width=2700&amp;height=225&amp;name=carbon-(47).jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p> 
<p>Figure 3 presents the curl command used to send the IPs of the exposed Jupyter Lab instances to the C2 server</p> 
<p>The next step involves the activation of a loop set to run whenever the C2 server returns an IP range for scanning. The first octet of the IP address is determined by the result of a curl command to the attacker’s C2 server, which subsequently scans a CIDR range of /8, equating to approximately 16.7 million IP addresses.</p> 
<p>It's important to note that the <span style="font-family: 'Courier New', Courier, monospace;">HTTP_SOURCE</span> environment variable was initially set by the attacker at the start of the container.&nbsp;</p> 
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(48).jpg?width=900&amp;height=81&amp;name=carbon-(48).jpg" alt="carbon-(48)" width="900" height="81" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(48).jpg?width=450&amp;height=41&amp;name=carbon-(48).jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(48).jpg?width=900&amp;height=81&amp;name=carbon-(48).jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(48).jpg?width=1350&amp;height=122&amp;name=carbon-(48).jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(48).jpg?width=1800&amp;height=162&amp;name=carbon-(48).jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(48).jpg?width=2250&amp;height=203&amp;name=carbon-(48).jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(48).jpg?width=2700&amp;height=243&amp;name=carbon-(48).jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p> 
<p>Figure 4 showcases the <span style="font-family: 'Courier New', Courier, monospace;">HTTP_SOURCE</span> environment variable.</p> 
<p>Through the use of <span style="font-family: 'Courier New', Courier, monospace;">NGROK</span>, the attacker is able to conceal the infrastructure, thereby minimizing the risk of it being shut down.</p> 
<p><span style="text-decoration: underline;"><span style="font-family: Arial, Helvetica, sans-serif; font-weight: bold;">shanidmk/jltest</span></span> (8 pulls)</p> 
<p>Upon examining the attacker's Docker Hub account, we identified a particular container image. As suggested by its name, it appears to be an earlier version of the container image utilized in our attack. It seems that the attacker developed this image to have a pre-compiled binary of zgrab, specifically tailored to meet the requirements of this campaign. This indicates a considerable level of technical expertise and skill, allowing the attacker to customize the binary to suit their needs.</p> 
<p><span style="text-decoration: underline; font-family: Arial, Helvetica, sans-serif;"><span style="font-weight: bold;">shanidmk/sysapp</span></span> (11 pulls)</p> 
<p>This container image is composed of six layers. Three of the layers encompass parts of the base image, basic filesystem, and various utilities. One layer incorporates the ELF system (MD5=ba1b03bc2c262d724c0616eba9d7828b), which is classified as a cryptominer according to VirusTotal. Another layer houses ZGrab, while yet another contains the <span style="font-family: 'Courier New', Courier, monospace;">run.sh</span> shell script, which is programmed to initiate as soon as the container starts.&nbsp;</p> 
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(49).jpg?width=900&amp;height=1543&amp;name=carbon-(49).jpg" alt="carbon-(49)" width="900" height="1543" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(49).jpg?width=450&amp;height=772&amp;name=carbon-(49).jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(49).jpg?width=900&amp;height=1543&amp;name=carbon-(49).jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(49).jpg?width=1350&amp;height=2315&amp;name=carbon-(49).jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(49).jpg?width=1800&amp;height=3086&amp;name=carbon-(49).jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(49).jpg?width=2250&amp;height=3858&amp;name=carbon-(49).jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(49).jpg?width=2700&amp;height=4629&amp;name=carbon-(49).jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p> 
<p>Figure 5 the shell script <span style="font-family: 'Courier New', Courier, monospace;">run.sh</span>, set to run when the <span style="font-family: 'Courier New', Courier, monospace;">shanidmk/sysapp</span> container start</p> 
<p>As depicted in figure 5 above, a random initial octet of the IP address is chosen. It is then passed to the function <span style="font-family: 'Courier New', Courier, monospace;">pwn_d </span>along with the random range, a potentially exposed Docker Daemon port, and a rate (2375, 2376, 2377, 4244, 4243).</p> 
<p>The pwn_d function, based on the provided arguments, scans for misconfigured docker daemons v1.16. The syntax "timeout -s sigkill" signifies that a timeout signal will be sent to terminate the docker info or run command issued by this function. The first 'docker info' seeks to gather information about the target environment, while the second is a remote command to the docker daemon, commanding it to run a privileged alpine container. This container mounts the host filesystem, utilizes the host network, and executes an 'echo' command of a base64 script.</p> 
<p>The following figure 6 illustrates the second command executed by the attacker upon container start:</p> 
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(50).jpg?width=900&amp;height=298&amp;name=carbon-(50).jpg" alt="carbon-(50)" width="900" height="298" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(50).jpg?width=450&amp;height=149&amp;name=carbon-(50).jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(50).jpg?width=900&amp;height=298&amp;name=carbon-(50).jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(50).jpg?width=1350&amp;height=447&amp;name=carbon-(50).jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(50).jpg?width=1800&amp;height=596&amp;name=carbon-(50).jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(50).jpg?width=2250&amp;height=745&amp;name=carbon-(50).jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(50).jpg?width=2700&amp;height=894&amp;name=carbon-(50).jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p> 
<p>Figure 6 – this is the second command the attacker is running &nbsp;</p> 
<p>As seen in figure 6 above, the attacker persistently runs a privileged container that restarts, utilizes the host network, and downloads the <span style="font-family: 'Courier New', Courier, monospace;">ELF files x.noback and x.back.</span> These binaries were unavailable during our investigation; thus, we speculate that these could either be backup cryptominers or the Tsunami malware, a potent IRC-based backdoor. We will elaborate on this in the attribution section. In addition, the script retrieves the <span style="font-family: 'Courier New', Courier, monospace;">setup_c3pool_miner.sh script</span>, which is specifically designed to deploy a cryptominer.</p> 
<p style="text-align: left;">Finally, the script is configured to <span style="font-family: 'Courier New', Courier, monospace;">download aws.sh.txt</span>. We strongly suspect that this script is designed to systematically scan the environment for AWS keys and secrets, thereby enabling the attacker to steal them.&nbsp;<span style="font-size: 12px;"></span></p> 
<p style="text-align: left;"><span style="text-decoration: underline;"><span style="font-family: Arial, Helvetica, sans-serif; font-weight: bold;">shanidmk/blob </span></span>(29 pulls)&nbsp;<br><br>This container image is composed of seven layers. Four of these layers house the base image and essential utilities. Two layers contain the Tsunami malware (MD5=87c8423e0815d6467656093bff9aa193), as classified by VirusTotal. The remaining layer holds the <span style="font-family: 'Courier New', Courier, monospace;">shell script docker_entrypoint.sh</span>, which is programmed to execute when the container launches.&nbsp;</p> 
<p style="text-align: left;">Figure 7 presents the <span style="font-family: 'Courier New', Courier, monospace;">docker_entrypoint.sh</span> shell script:&nbsp;</p> 
<p style="text-align: left;"><img src="https://blog.aquasec.com/hs-fs/hubfs/carbon-(51).jpg?width=900&amp;height=1922&amp;name=carbon-(51).jpg" alt="carbon-(51)" width="900" height="1922" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/carbon-(51).jpg?width=450&amp;height=961&amp;name=carbon-(51).jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(51).jpg?width=900&amp;height=1922&amp;name=carbon-(51).jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(51).jpg?width=1350&amp;height=2883&amp;name=carbon-(51).jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(51).jpg?width=1800&amp;height=3844&amp;name=carbon-(51).jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(51).jpg?width=2250&amp;height=4805&amp;name=carbon-(51).jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/carbon-(51).jpg?width=2700&amp;height=5766&amp;name=carbon-(51).jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p> 
<p style="text-align: left;">Figure 7 – the <span style="font-family: 'Courier New', Courier, monospace;">docker_entrypoint.sh</span> shell script</p> 
<p style="text-align: left;">As observable in figure 7 above, the attacker initiates the process by installing certain packages or dependencies to facilitate the attack. Subsequently, the ELF systems (MD5= 87c8423e0815d6467656093bff9aa193), classified as Tsunami malware by VirusTotal, are executed. Following this, the attacker launches the TOR service to obscure network communication.</p> 
<p style="text-align: left;">The attacker then conducts a rate scan test by checking <span style="font-family: 'Courier New', Courier, monospace;">'/proc/meminfo'</span>, which provides memory usage information. Based on this information and subsequent adjustments, the attacker determines the scan rate of masscan.</p> 
<p style="text-align: left;">Next, a loop invokes the primary function <span style="font-family: 'Courier New', Courier, monospace;">dAPIpwn</span> (Docker API pwn). The attacker employs anondns.net to mask his C2 server. Anondns is a DNS over HTTP service enabling the attacker to interact with his backend without revealing the actual address on the attacked server. The attacker has created a subdomain in the anondns domain named '<span style="font-family: 'Courier New', Courier, monospace;">silentbob</span>', potentially a reference to the film "Jay and Silent Bob", giving a clue to the attacker's identity.</p> 
<p style="text-align: left;">The main function, <span style="font-family: 'Courier New', Courier, monospace;">dAPIpwn</span>, randomly selects a file name and initiates a scan. It uses the <span style="font-family: 'Courier New', Courier, monospace;">proxychains3</span> application, which is designed to force any TCP connection made by any given TCP client to follow through a proxy (or proxy chain). Masscan then scans a specified range of approximately 16.7 million IP addresses in search of exposed Docker APIs.</p> 
<p style="text-align: left;">For each target obtained, the function lists the images on the host with exposed Docker API. The output is then sent back to the C2 server.</p> 
<p style="text-align: left;">There's another function, upres(), which seems to be inactive. It is also designed to transmit information to the attacker's C2 server.</p> 
<h3 style="text-align: left;">Exposed JupyterLab servers in the wild</h3> 
<p style="text-align: left;">Our goal was to gain a deeper understanding of the breadth of this campaign. Regrettably, our investigation of the attacks against our JupyterLab honeypots did not yield any evidence that our servers have been compromised by this campaign. As a result, we turned to Shodan to help us identify 51 servers with exposed JupyterLab instances in the wild. All of these exposed instances had been actively exploited or had recently suffered exploitation attempts by an attacker.</p> 
<p style="text-align: left;">We discovered a live manual attack on one of the servers that employed masscan to scan for exposed Docker APIs. The scan range was set to '124', and when we queried the attacker's server (<span style="font-family: 'Courier New', Courier, monospace;">http[:]//silentbob[.]anondns[.]com</span>), the response was a number strikingly similar, further supporting our suspicion that this is related to our campaign. To us, it appeared as if the attacker was conducting some tests. Further analysis on other exposed hosts revealed more activity from this same attacker.</p> 
<p style="text-align: left;"><img src="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-26-at-15.44.44.jpg?width=900&amp;height=100&amp;name=Screen-Shot-2023-06-26-at-15.44.44.jpg" alt="Screen-Shot-2023-06-26-at-15.44.44" width="900" height="100" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-26-at-15.44.44.jpg?width=450&amp;height=50&amp;name=Screen-Shot-2023-06-26-at-15.44.44.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-26-at-15.44.44.jpg?width=900&amp;height=100&amp;name=Screen-Shot-2023-06-26-at-15.44.44.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-26-at-15.44.44.jpg?width=1350&amp;height=150&amp;name=Screen-Shot-2023-06-26-at-15.44.44.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-26-at-15.44.44.jpg?width=1800&amp;height=200&amp;name=Screen-Shot-2023-06-26-at-15.44.44.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-26-at-15.44.44.jpg?width=2250&amp;height=250&amp;name=Screen-Shot-2023-06-26-at-15.44.44.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-26-at-15.44.44.jpg?width=2700&amp;height=300&amp;name=Screen-Shot-2023-06-26-at-15.44.44.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p> 
<p style="text-align: left;">Figure 8 – a random attacked server with similar patterns to our campaign</p> 
<p style="text-align: left;"><img src="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-27-at-11.39.42.jpg?width=900&amp;height=37&amp;name=Screen-Shot-2023-06-27-at-11.39.42.jpg" alt="Screen-Shot-2023-06-27-at-11.39.42" width="900" height="37" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-27-at-11.39.42.jpg?width=450&amp;height=19&amp;name=Screen-Shot-2023-06-27-at-11.39.42.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-27-at-11.39.42.jpg?width=900&amp;height=37&amp;name=Screen-Shot-2023-06-27-at-11.39.42.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-27-at-11.39.42.jpg?width=1350&amp;height=56&amp;name=Screen-Shot-2023-06-27-at-11.39.42.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-27-at-11.39.42.jpg?width=1800&amp;height=74&amp;name=Screen-Shot-2023-06-27-at-11.39.42.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-27-at-11.39.42.jpg?width=2250&amp;height=93&amp;name=Screen-Shot-2023-06-27-at-11.39.42.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/Screen-Shot-2023-06-27-at-11.39.42.jpg?width=2700&amp;height=111&amp;name=Screen-Shot-2023-06-27-at-11.39.42.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p> 
<p style="text-align: left;">Figure 9 – a random attacked server with similar patterns to our campaign #2 &nbsp;</p> 
<h3 style="text-align: left;">Campaign analysis and attribution</h3> 
<p style="text-align: left;">To summarize our findings, we have identified four distinct container images. One of these was utilized in an attack on our misconfigured Docker API. These images were all recently uploaded to Docker Hub's public registry, yet cumulatively, they have received less than 100 pulls. Given that some functions in the code remain unused and the linked attack patterns suggest manual testing, we theorize that the attacker is in the process of optimizing their algorithm. Therefore, we speculate that this attack is yet to fully launch and it is likely to attract significant attention once it develops into a full-blown campaign.&nbsp;</p> 
<p style="text-align: left;">The operation of this cloud worm can be illustrated as follows (see Gif below):</p> <div class="hs-video-widget" data-hsv-embed-id="7e66ff22-5267-4c49-a6a7-68ecdc778b0a">
  <img src="https://api-na1.hubapi.com/video/v1/public/123470178644/poster?portalId=1665891" style="max-width: 1920px" alt="HubSpot Video" data-hsv-id="123470178644" data-hsv-style="" data-hsv-width="1920" data-hsv-height="1080" data-hsv-autoplay="false" data-hsv-loop="false" data-hsv-muted="false" data-hsv-hidden-controls="false" data-hsv-full-width="false">
</div>
 
<p style="text-align: left;">Initially, the attacker identifies a misconfigured server (either Docker API or JupyterLab) and deploys a container or engages with the Command Line Interface (CLI) to scan for and identify additional victims. This process is designed to spread the malware to an increasing number of servers. The secondary payload of this attack includes a cryptominer and a backdoor, the latter employing the Tsunami malware as its weapon of choice.</p> 
<p style="text-align: left;">Given the specific Tactics, Techniques and Procedures (TTPs) observed, we firmly believe that the infrastructure for this operation was established by none other than the cybercriminal group known as TeamTNT. Alternatively, it could be an advanced copycat, who not only emulates their code, but also mirrors their degree of sophistication, affinity for the Dutch language, and distinct sense of humor.</p> 
<p style="text-align: left;">TeamTNT is a notorious cybercriminal group that has gained prominence for its aggressive attacks on cloud-based systems, especially those using Docker and Kubernetes environments. They specialize in cryptomining operations, but their methods have evolved over time to incorporate a variety of other malicious activities.</p> 
<p style="text-align: left;">The group initially made headlines by exploiting misconfigured Docker APIs to launch their attacks. They would infect cloud systems with cryptominers, a tactic that has become increasingly common among cybercriminals due to the potential for significant financial gain. However, TeamTNT's approach was unique for the level of sophistication and the scale at which they operated.</p> 
<p style="text-align: left;">As their tactics evolved, they began to target unsecured Kubernetes installations and even added functionality to their malware that could steal AWS credentials, providing them with potentially vast access to resources and data. They've also employed a worm-like feature to their malware, allowing it to spread itself across improperly configured or unsecured Docker and Kubernetes systems.</p> 
<p style="text-align: left;">One key hallmark of TeamTNT's operation is their extensive use of open-source tools. For instance, they used tools such as "Weave Scope," which allowed them to visualize and interact with cloud environments, further extending their reach and effectiveness.</p> 
<p style="text-align: left;">In addition, the group was known for its aggressive scanning of IP addresses, seeking exposed Docker APIs to exploit. They also cleverly concealed their command and control (C2) servers using services like DNS over HTTP to hide their actual addresses.</p> 
<p style="text-align: left;">However, as of our last update in September 2021, it appears that TeamTNT has ceased its activities. The reasons behind this sudden halt are unclear; it could be due to heightened security measures, successful law enforcement operations, or an internal decision to discontinue operations.</p> 
<p style="text-align: left;">Despite this cessation of activities, the impact of TeamTNT's campaigns is significant and provides essential lessons for the future. It highlights the critical importance of proper configuration and security measures in cloud environments. It also showcases how quickly and innovatively cybercriminal groups can evolve and adapt their tactics, using both traditional and emerging techniques to carry out their attacks.</p> 
<p style="text-align: left;">It is crucial to note that while TeamTNT may have ceased its activities, the threat to cloud environments remains very much alive. Other groups or individuals may adopt similar or more advanced tactics, making ongoing vigilance and robust security measures essential in today's digital landscape.</p> 
<p style="text-align: left;">In this campaign we’ve seen the following resemblance to TeamTNT’s TTPs:</p> 
<ol> 
 <li style="text-align: left;">In figure 7 the rate_to_scan snippet and some sections of the dAPIpwn function were used in the <a href="https://github.com/Caprico1/Docker-Botnets/blob/492320b09fa1f9773d454cfe374a8b95357f96e3/what_will_be_TEAMTNT/d.sh.txt#L4" rel="noopener" target="_blank">whatwillbe</a> campaign.</li> 
 <li style="text-align: left;">In figure 7 the dAPIpwn function was used in various previous campaigns by TeamTNT such as <a href="https://github.com/Caprico1/Docker-Botnets/blob/492320b09fa1f9773d454cfe374a8b95357f96e3/dockgeddon/init.sh#L21" rel="noopener" target="_blank">dockgeddon</a>, <a href="https://github.com/Caprico1/Docker-Botnets/blob/492320b09fa1f9773d454cfe374a8b95357f96e3/TEAMTNT_MASTER_LIST/chimaera/45_9_148_35/45.9.148.35/chimaera/sh/spread_docker_loop.sh#L97" rel="noopener" target="_blank">chimaera</a>, and others.</li> 
 <li style="text-align: left;">In figure 6, the script aws.sh, was previously used by TeanTNT in various campaigns. But this is a fairly weak connection.</li> 
 <li style="text-align: left;">When pinging the C2 server it replies in German, another mischief done by TeamTNT in the past.</li> 
 <li style="text-align: left;">Tsunami malware was often used by TeamTNT in past campaigns.&nbsp;</li> 
</ol> 
<h3>Applying MITRE ATT&amp;CK Framework to the TeamTNT attacks</h3> 
<p>A summary that maps each component of the attack to the corresponding MITRE ATT&amp;CK framework and techniques category:&nbsp;</p> 
<p><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/mitre-table-1.png" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/mitre-table-1.png?width=900&amp;height=350&amp;name=mitre-table-1.png" alt="mitre-table-1" width="900" height="350" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/mitre-table-1.png?width=450&amp;height=175&amp;name=mitre-table-1.png 450w, https://blog.aquasec.com/hs-fs/hubfs/mitre-table-1.png?width=900&amp;height=350&amp;name=mitre-table-1.png 900w, https://blog.aquasec.com/hs-fs/hubfs/mitre-table-1.png?width=1350&amp;height=525&amp;name=mitre-table-1.png 1350w, https://blog.aquasec.com/hs-fs/hubfs/mitre-table-1.png?width=1800&amp;height=700&amp;name=mitre-table-1.png 1800w, https://blog.aquasec.com/hs-fs/hubfs/mitre-table-1.png?width=2250&amp;height=875&amp;name=mitre-table-1.png 2250w, https://blog.aquasec.com/hs-fs/hubfs/mitre-table-1.png?width=2700&amp;height=1050&amp;name=mitre-table-1.png 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p> 
<p>*Restart container: The container is running with the flag <span style="font-family: 'Courier New', Courier, monospace;">--restart=always</span>, which creates a persistence in case the container fails it will try to restart.&nbsp;</p> 
<h3>In summary&nbsp;</h3> 
<p>Looks like TeamTNT or a TeamTNT copycat is preparing a campaign. We treat this as an early warning, and hopefully a prevention to the campaign. At this stage an infrastructure is being built to support a worm like expansion across misconfigured Docker APIs and JupyterLAb instances. Below are few recommendations, when practiced together they can assist you against these kinds of attacks:</p> 
<p>Immediate basic steps: &nbsp;</p> 
<ol> 
 <li>Ensure you’re not running JupyterLab without authentication, specifically make sure the token flag when running JupyterLab is not left empty. &nbsp;</li> 
 <li>Verify that your Docker API isn’t exposed to the world and set to accept requests from 0.0.0.0.</li> 
 <li>Secure Configuration and Hardening: Ensure that Docker daemons and cloud instances are properly configured and hardened. Implement secure configurations, including strong passwords, disabling unnecessary services, and limiting access to only trusted networks or IP ranges. Regularly update and patch Docker and cloud platforms to address any vulnerabilities.</li> 
 <li>Least Privilege Principle: Apply the principle of least privilege to limit the permissions and capabilities of containers, Docker daemons, and cloud instances. Use appropriate user roles and access controls to restrict privileges and minimize the potential impact of a successful attack.</li> 
 <li>Scan the images that you use, making sure you are familiar with them and their use, using minimal privileges such as avoiding root user and privileged mode. Use a vulnerability scanner such as <a href="https://www.aquasec.com/products/trivy/" rel="noopener" target="_blank">Trivy</a> (open source).</li> 
 <li>Investigate logs, mostly around user actions, look for any anomalous actions.</li> 
 <li>Continuous Monitoring and Logging: Implement robust monitoring and logging solutions to detect and alert suspicious activities within your cloud environment. Monitor network traffic, container behavior, and system logs for indicators of compromise (IoCs) related to integrated attacks. Regularly</li> 
 <li>Form a security strategy where you can enforce your policies with ease, consider using cloud security tools that will widen your scope and reach within your cloud resources.&nbsp;</li> 
</ol> 
<p><em>Look for part two in this blog series as we continue to discover more about Team TNT's recent campaign</em></p> 
<p>&nbsp;</p> 
<div class="hs-embed-wrapper">
 <div class="hs-embed-content-wrapper"> 
  <div class="trd-ph-embedded" data-id="ac25252f-46f9-4952-bdc4-33b23e371131">
    &nbsp; 
  </div> 
 </div>
</div></span>
      </div>

      <div class="authors_placeholder">
        <div id="hs_cos_wrapper_module_16786962871161532" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
<div class="hs-author-profile  hs-author-profile-with-avatar">
   <div class="hs-author-avatar">
    <a href="/author/ofek-itach" style="width: 120px; height: 120px; background: white; border-radius: 50%; display: flex; align-items: center; justify-content: center;">
      <img src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=120&amp;height=120&amp;name=Ofek-Itach_SQ.jpg" alt="Picture of Ofek Itach" height="120" width="120" srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=60&amp;height=60&amp;name=Ofek-Itach_SQ.jpg 60w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=120&amp;height=120&amp;name=Ofek-Itach_SQ.jpg 120w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=180&amp;height=180&amp;name=Ofek-Itach_SQ.jpg 180w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=240&amp;height=240&amp;name=Ofek-Itach_SQ.jpg 240w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=300&amp;height=300&amp;name=Ofek-Itach_SQ.jpg 300w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Aqua%20People/Ofek-Itach_SQ.jpg?width=360&amp;height=360&amp;name=Ofek-Itach_SQ.jpg 360w" sizes="(max-width: 120px) 100vw, 120px">
    </a>
  </div> 
  <a href="/author/ofek-itach"><h4 class="hs-author-name">Ofek Itach</h4></a>
  <div class="hs-author-bio">Ofek is a Security Researcher at Team Nautilus, Aqua's research team. With a focus on big data analytics, Ofek researches various domains in the cloud, including attacks against cloud providers and services. In his spare time, he enjoys listening to podcasts, playing soccer, and collecting watches.</div>
  
</div>

  

<div class="hs-author-profile  hs-author-profile-with-avatar">
  
  <div class="hs-author-avatar">
    
  <a href="https://blog.aquasec.com/author/assaf-morag" style="width: 120px; height: 120px; background: white; border-radius: 50%; display: flex; align-items: center; justify-content: center;">
    <img src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=120&amp;height=120&amp;name=Assaf%20M%20300x300.jpg" alt="Picture of Assaf Morag" height="120" width="120" srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=60&amp;height=60&amp;name=Assaf%20M%20300x300.jpg 60w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=120&amp;height=120&amp;name=Assaf%20M%20300x300.jpg 120w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=180&amp;height=180&amp;name=Assaf%20M%20300x300.jpg 180w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=240&amp;height=240&amp;name=Assaf%20M%20300x300.jpg 240w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=300&amp;height=300&amp;name=Assaf%20M%20300x300.jpg 300w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Imported%20sitepage%20images/Assaf%20M%20300x300.jpg?width=360&amp;height=360&amp;name=Assaf%20M%20300x300.jpg 360w" sizes="(max-width: 120px) 100vw, 120px">
    </a>
  </div> 
  
  <a href="https://blog.aquasec.com/author/assaf-morag">
    <h4 class="hs-author-name">Assaf Morag</h4>
  </a>
  
  <div class="hs-author-bio">Assaf is a Lead Data Analyst at Aqua Nautilus research team, he focuses on supporting the data needs of the team, obtaining threat intelligence and helping Aqua and the industry stay at the forefront of new threats and methodologies for protection. His work has been published in leading info security publications and journals across the globe, and most recently he contributed to the new MITRE ATT&amp;CK Container Framework.</div>
</div>
</div>
      </div>

      <div id="hubspot-author_data" class="hubspot-editable" data-hubspot-form-id="author_data" data-hubspot-name="Blog Author">
        
        <p id="hubspot-topic_data">
          
          <a class="topic-link" href="https://blog.aquasec.com/topic/security-threats">Security Threats</a>,
          
          <a class="topic-link" href="https://blog.aquasec.com/topic/malware-attacks">Malware Attacks</a>
          
        </p>
        

         
      </div>

    </div>
  </div>
</div>
</div>

</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-4 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_html " style="" data-widget-type="raw_html" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_1490700955681800" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_raw_html" style="" data-hs-cos-general-type="widget" data-hs-cos-type="raw_html"><div class="trd-ph-embedded" data-group="recommend"></div></span>
</div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-5 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_comments " style="" data-widget-type="blog_comments" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_blog_comments" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_comments" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_comments">
<div class="section post-footer">
    <div id="comments-listing" class="new-comments"></div>
    
      <div id="hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"></div>
      
      
      
    
</div>

</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-6 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_jinja social_floats_custom" style="" data-widget-type="raw_jinja" data-x="0" data-w="12">
<style type="text/css">
  .blog-content {position:relative;}
  
	.social_float_wrap {display:block;position:absolute;left:-60px;top:220px;opacity:0;transition:opacity 0.3s ease;}
	.social_float_wrap.float_fixed {position:fixed;left:initial;margin-left:-60px;opacity:1;}
	.social_float_wrap .social_float {}
	.social_float_wrap .social_float .social_float_link {display:block;width:40px;height:40px;background-size:40px 40px;background-color:#ffffff;border:2px solid #1904da;border-radius:50%;transition:all 0.3s ease;margin-bottom:8px;}
	.social_float_wrap .social_float .social_float_link:hover {background-color:#1904da;}
	.social_float_wrap .social_float .social_float_link svg {fill:#1904da;transition:background-color 0.3s ease;}
	.social_float_wrap .social_float .social_float_link:hover svg {fill:#ffffff;}
  
</style>

<script type="text/javascript">
jQuery(document).ready(function($) {

  var fixedSocialBtns = $('.social_float_wrap')[0].offsetTop;
  $(document).bind('ready scroll',function() {
    var docScroll = $(document).scrollTop();
    if(docScroll >= fixedSocialBtns) {
      $('.social_float_wrap').addClass('float_fixed');
    } else {
      $('.social_float_wrap').removeClass('float_fixed');
    }
  });
  
  $('.social_float a').click(function() {
    window.open($(this).attr('href'),'title', 'toolbar=no,scrollbars=no,resizable=yes,width=600,height=580');
    return false;
  });


});
  
</script>

<div class="social_float_wrap">
  <div class="social_float">
    <a target="_blank" href="http://www.facebook.com/sharer/sharer.php?u=https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack" class="social_float_link facebook" aria-label="Visit Facebook page"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M13.69,24.903h3.679V15.999h2.454l.325-3.068H17.369l.004-1.536c0-.8.076-1.229,1.224-1.229h1.534V7.097H17.676c-2.949,0-3.986,1.489-3.986,3.992v1.842H11.852V16H13.69Z" /></svg></a>
    <a target="_blank" href="http://twitter.com/share?url=https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack&amp;text=Threat%20Alert:%20Anatomy%20of%20Silentbob’s%20Cloud%20Attack" class="social_float_link twitter" aria-label="Visit Twitter page"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M18.226,8.886a3.68371,3.68371,0,0,0-2.481,3.704l.038.63-.636-.077a10.34519,10.34519,0,0,1-6.056-2.984l-.84-.836-.215.617a3.71807,3.71807,0,0,0,.789,3.808c.509.54.394.617-.483.296a1.48373,1.48373,0,0,0-.598-.141,4.61571,4.61571,0,0,0,.458,1.724,4.11357,4.11357,0,0,0,1.743,1.647l.624.296-.739.011c-.712,0-.738.013-.661.284a3.84668,3.84668,0,0,0,2.379,2.11l.789.27-.687.412a7.122,7.122,0,0,1-3.41.951,3.75229,3.75229,0,0,0-1.044.103,9.7499,9.7499,0,0,0,2.455,1.132,10.73645,10.73645,0,0,0,8.346-.952,11.17993,11.17993,0,0,0,4.237-4.992,13.25968,13.25968,0,0,0,.865-3.858c0-.592.038-.669.75-1.376a8.556,8.556,0,0,0,.891-.99c.128-.245.114-.245-.534-.026-1.081.386-1.234.335-.699-.244a3.75511,3.75511,0,0,0,.865-1.376c0-.038-.191.026-.407.141a6.97889,6.97889,0,0,1-1.12.437l-.687.219L21.535,9.4a5.18982,5.18982,0,0,0-1.081-.566A4.34487,4.34487,0,0,0,18.226,8.886Z" /></svg></a>
    <a target="_blank" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack&amp;title=Threat%20Alert:%20Anatomy%20of%20Silentbob’s%20Cloud%20Attack" class="social_float_link linkedin" aria-label="Visit LinkedIn page"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M24.299,22.932V16.795c0-3.288-1.755-4.818-4.096-4.818a3.52865,3.52865,0,0,0-3.206,1.768V12.228H13.439c.047,1.005,0,10.704,0,10.704h3.558V16.954a2.43146,2.43146,0,0,1,.117-.867,1.94665,1.94665,0,0,1,1.825-1.301c1.288,0,1.803.981,1.803,2.42v5.727l3.557-.001ZM9.69,10.767a1.8553,1.8553,0,1,0,.023-3.699,1.85409,1.85409,0,1,0-.045,3.698H9.69Zm1.779,12.165V12.228H7.912V22.932Z" /></svg></a>
  </div>
</div>
</div><!--end widget-span -->

</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
<div class="span3 widget-span widget-type-cell blog-sidebar" style="" data-widget-type="cell" data-x="9" data-w="3">

<div class="row-fluid-wrapper row-depth-1 row-number-7 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_subscribe " style="" data-widget-type="blog_subscribe" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_14538258496742317" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_subscribe"><h3 id="hs_cos_wrapper_module_14538258496742317_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text">Subscribe to Email Updates</h3>

<div id="hs_form_target_module_14538258496742317_3711"></div>



</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-8 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1550141167854489" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-post_listing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
  


<span id="hs_cos_wrapper_module_1550141167854489_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_post_listing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="post_listing"><div class="block">
  <h3>Popular Posts</h3>
  <div class="widget-module">
    <ul class="hs-hash-1248747767-1688968558350">
    </ul>
  </div>
</div>
</span></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-9 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-post_filter " style="" data-widget-type="post_filter" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_146324971355825147" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_post_filter" style="" data-hs-cos-general-type="widget" data-hs-cos-type="post_filter"><div class="block">
  <h3>Filter by Topic</h3>
  <div class="widget-module">
    <ul>
      
        <li>
          <a href="https://blog.aquasec.com/topic/container-security">Container Security <span class="filter-link-count" dir="ltr">(110)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/kubernetes-security">Kubernetes Security <span class="filter-link-count" dir="ltr">(93)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/cloud-native-security">Cloud Native Security <span class="filter-link-count" dir="ltr">(81)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/security-threats">Security Threats <span class="filter-link-count" dir="ltr">(79)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/image-vulnerability-scanning">Image Vulnerability Scanning <span class="filter-link-count" dir="ltr">(49)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/aqua-open-source">Aqua Open Source <span class="filter-link-count" dir="ltr">(47)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/aws-security">AWS Security <span class="filter-link-count" dir="ltr">(35)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/docker-security">Docker Security <span class="filter-link-count" dir="ltr">(35)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/runtime-security">Runtime Security <span class="filter-link-count" dir="ltr">(35)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/vulnerability-management">Vulnerability Management <span class="filter-link-count" dir="ltr">(34)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/software-supply-chain-security">Software Supply Chain Security <span class="filter-link-count" dir="ltr">(25)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-compliance">Cloud compliance <span class="filter-link-count" dir="ltr">(24)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-vulnerability">Container Vulnerability <span class="filter-link-count" dir="ltr">(24)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cspm">CSPM <span class="filter-link-count" dir="ltr">(23)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/devsecops">DevSecOps <span class="filter-link-count" dir="ltr">(23)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/aqua-security">Aqua Security <span class="filter-link-count" dir="ltr">(17)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ci-cd">CI/CD <span class="filter-link-count" dir="ltr">(17)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cnapp">CNAPP <span class="filter-link-count" dir="ltr">(15)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/secrets">Secrets <span class="filter-link-count" dir="ltr">(12)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/supply-chain-attacks">Supply Chain Attacks <span class="filter-link-count" dir="ltr">(12)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/application-security">Application Security <span class="filter-link-count" dir="ltr">(11)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/serverless-security">Serverless-Security <span class="filter-link-count" dir="ltr">(11)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ebpf">ebpf <span class="filter-link-count" dir="ltr">(10)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/host-security">Host Security <span class="filter-link-count" dir="ltr">(9)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/advanced-malware-protection">Advanced malware protection <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-security-conferences">Cloud security conferences <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/fargate">Fargate <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/kubernetes">Kubernetes <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-workload-protection-platform-cwpp">Cloud Workload Protection Platform CWPP <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/hybrid-cloud-security">Hybrid Cloud Security <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/malware-attacks">Malware Attacks <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/attack-vector">Attack Vector <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-platforms">Container platforms <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/google-cloud-security">Google cloud security <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/openshift">OpenShift <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/sboms">SBOMs <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/secure-vm">Secure VM <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/security-policy">Security Policy <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/infrastructure-as-code-iac">Infrastructure-as-Code (IaC) <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/security-automation">Security Automation <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/windows-containers">Windows Containers <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/azure-security">Azure security <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-security">Cloud security <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/docker-containers">Docker containers <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/kubernetes-rbac">Kubernetes RBAC <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/service-mesh">Service Mesh <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-deployment">Container Deployment <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ibm-cloud">IBM Cloud <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/microservices">Microservices <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/nano-segmentation">Nano-Segmentation <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/agentless-security">Agentless Security <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/faas">FaaS <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/network-firewall">Network Firewall <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/vmware-tanzu">VMware Tanzu <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/code-security">code security <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/advanced-threat-mitigation">Advanced Threat Mitigation <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-vm">Cloud VM <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/drift-prevention">Drift Prevention <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/kubernetes-authorization">Kubernetes Authorization <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/network">Network <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/shift-left-security">shift Left security <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
    </ul>
    
      <a class="filter-expand-link" href="#">Show more...</a>
    
  </div>
</div>
</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end body -->
</div><!--end body wrapper -->

<div class="footer-container-wrapper">
    <div class="footer-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_jinja " style="" data-widget-type="raw_jinja" data-x="0" data-w="12">
<script type="application/ld+json">
 {
     "@context": "http://schema.org",
     "@type": "BlogPosting",
     "headline": "Threat Alert: Anatomy of Silentbob’s Cloud Attack",
     "image": {
          "@type": "ImageObject",
          "url": "https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Blog-Image--Cloud-worm-silent-bob-Recovered.jpg"
     },
     "datePublished": "2023-07-05 14:01:13",
     "dateModified": "July 5, 2023, 7:10:36 PM",
     "author": {
         "@type": "Person",
         "name": "Ofek Itach"
     },
     "publisher": {
         "@type": "Organization",
         "name": "Aqua Security",
         "logo": {
             "@type": "ImageObject",
             "url": "https://f.hubspotusercontent40.net/hubfs/1665891/SVG__2020%20Aqua%20Logo%20Color.svg"
         }
     },
     "description": " Nautilus identified infrastructure in early stages of testing and deployment, of a cloud worm, designed to deploy on exposed JupyterLab and Docker APIs"
 }
 </script></div><!--end widget-span -->

</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-global_group " style="" data-widget-type="global_group" data-x="0" data-w="12">
<div class="" data-global-widget-path="generated_global_groups/7516015189.html"><div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_153895222154164" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="container-fluid footer_wrap">
<div class="page-center footer_widgets_wrap">
<div class="span5 footer_1">
<div class="row">
<a class="footer_logo" href="https://www.aquasec.com" title="Aqua Container Security">Aqua Container Security</a>
</div>
<div class="row">
<ul>
<div id="text-2" class="widget widget_text">			
<div class="textwidget"><p>Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed.</p><p>Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.</p>
</div>
</div>
</ul>
</div>
<div class="row-fluid social_links_wrap">
<a href="https://www.facebook.com/AquaSecTeam" class="social_link facebook" target="_blank" title="facebook"></a>
<a href="https://twitter.com/AquaSecTeam" class="social_link twitter" target="_blank" title="twitter"></a>
<a href="https://www.linkedin.com/company/aquasecteam" class="social_link linkedin" target="_blank" title="linkedin"></a>
<a href="https://www.youtube.com/c/AquasecTeam" class="social_link youtube" target="_blank" title="youtube"></a>
</div>
<div class="row-fluid small">Copyright © 2023 Aqua Security Software Ltd.</div>
</div>
<div class="span3 col-md-offset-1 footer_2">
<ul>
<div id="nav_menu-2" class="widget widget_nav_menu">
<div class="widget_title">Use Cases</div>
<div class="menu-use-cases-container">
<ul id="menu-use-cases" class="menu">
<li><a href="https://www.aquasec.com/use-cases/devops-security/">Automate DevSecOps</a></li>
<li><a href="https://www.aquasec.com/products/container-security/">Modernize Security</a></li>
<li><a href="https://www.aquasec.com/use-cases/container-auditing-compliance/">Compliance and Auditing</a></li>
<li><a href="https://www.aquasec.com/products/serverless-container-functions/">Serverless Containers &amp; Functions</a></li>
<li><a href="https://www.aquasec.com/use-cases/multi-cloud-and-hybrid-cloud/">Hybrid and Multi Cloud</a></li>
</ul>
</div>
</div>
<div id="nav_menu-9" class="widget widget_nav_menu">
<div class="widget_title">Environments</div>
<div class="menu-environments-container">
<ul id="menu-environments" class="menu">
<li><a href="https://www.aquasec.com/products/kubernetes-security/">Kubernetes Security</a></li>
<li><a href="https://www.aquasec.com/solutions/red-hat-openshift-container-security/">OpenShift Security</a></li>
<li><a href="https://www.aquasec.com/solutions/docker-container-security/">Docker Security</a></li>
<li><a href="https://www.aquasec.com/solutions/aws-container-security/">AWS Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/azure-container-security/">Azure Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/google-cloud-kubernetes-security/">Google Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/vmware-pks-security/">VMware PKS Security</a></li>
</ul>
</div>
</div>
<div id="nav_menu-4" class="widget widget_nav_menu">
<div class="widget_title">Contact Us</div>
<div class="menu-partners-container">
<ul id="menu-partners" class="menu">
<li><a href="https://www.aquasec.com/about-us/contact-us/">Contact Us</a></li>
<li><a href="https://success.aquasec.com/#/">Contact Support</a></li>
</ul>
</div></div>
</ul>
</div>
<div class="span3 col-xs-6 footer_3">
<ul>
<div id="nav_menu-3" class="widget widget_nav_menu">
<div class="widget_title">Products</div>
<div class="menu-products-container">
<ul id="menu-products" class="menu">
<li><a href="https://www.aquasec.com/aqua-cloud-native-security-platform/">Aqua Cloud native security</a></li>
<li><a href="https://www.aquasec.com/products/open-source-projects/">Open Source Container Security</a></li>
<li><a href="https://www.aquasec.com/integrations/">Platform Integrations</a></li>
</ul>
</div>
</div>
<div id="nav_menu-8" class="widget widget_nav_menu">
<div class="widget_title">Resources</div>
<div class="menu-resources-container">
<ul id="menu-resources" class="menu">
<li><a href="https://www.aquasec.com/resources/virtual-container-security-channel/">Live Webinars</a></li>
<li><a href="https://info.aquasec.com/kubernetes-security">O’Reilly Book: Kubernetes Security</a></li>
<li><a href="https://www.aquasec.com/cloud-native-academy/">Cloud native Wiki</a></li>
</ul>
</div>
</div>
<div id="nav_menu-6" class="widget widget_nav_menu">
<div class="widget_title">About Us</div>
<div class="menu-about-us-container">
<ul id="menu-about-us" class="menu">
<li><a href="https://www.aquasec.com/about-us/">About Aqua</a></li>
<li><a href="https://www.aquasec.com/about-us/news/">Newsroom</a></li>
<li><a href="https://www.aquasec.com/about-us/careers/">Careers</a></li>
</ul>
</div>
</div>
</ul>
</div>
<div class="footer_cubes"></div>
<div class="footer_wrap_top_waves"></div>
<div class="footer_wrap_sunrays"></div>
</div>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->
</div>
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end footer -->
</div><!--end footer wrapper -->

    
<!-- HubSpot performance collection script -->
<script defer src="https://static.hsappstatic.net/content-cwv-embed/static-1.240/embed.js"></script>
<script src="https://blog.aquasec.com/hs-fs/hub/1665891/hub_generated/template_assets/7511165868/1575250830489/Coded_files/Custom/page/Aqua_Theme_2019/aqua_theme_2019_scripts.js"></script>
<script>
var hsVars = hsVars || {}; hsVars['language'] = 'en-us';
</script>

<script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script>
<!-- HubSpot Video embed loader -->
<script async data-hs-portal-id="1665891" data-hs-ignore="true" data-cookieconsent="ignore" data-hs-page-id="123313501283" data-lazy-inject="true" src="https://static.hsappstatic.net/video-embed/ex/loader.js"></script>
<script src="/hs/hsstatic/AsyncSupport/static-1.122/js/comment_listing_asset.js"></script>
<script>
  function hsOnReadyPopulateCommentsFeed() {
    var options = {
      commentsUrl: "https://api-na1.hubapi.com/comments/v3/comments/thread/public?portalId=1665891&offset=0&limit=1000&contentId=123313501283&collectionId=3657573699",
      maxThreadDepth: 1,
      showForm: true,
      
      skipAssociateContactReason: 'blogComment',
      disableContactPromotion: true,
      
      target: "hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"
    };
    window.hsPopulateCommentsFeed(options);
  }

  if (document.readyState === "complete" ||
      (document.readyState !== "loading" && !document.documentElement.doScroll)
  ) {
    hsOnReadyPopulateCommentsFeed();
  } else {
    document.addEventListener("DOMContentLoaded", hsOnReadyPopulateCommentsFeed);
  }

</script>


          <!--[if lte IE 8]>
          <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
          <![endif]-->
      
<script data-hs-allowed="true" src="/_hcms/forms/v2.js"></script>

        <script data-hs-allowed="true">
            hbspt.forms.create({
                portalId: '1665891',
                formId: 'bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c',
                pageId: '123313501283',
                region: 'na1',
                pageName: "Threat Alert: Anatomy of Silentbob\u2019s Cloud Attack",
                contentType: 'blog-post',
                
                formsBaseUrl: '/_hcms/forms/',
                
                
                
                css: '',
                target: "#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c",
                type: 'BLOG_COMMENT',
                
                submitButtonClass: 'hs-button primary',
                formInstanceId: '4997',
                getExtraMetaDataBeforeSubmit: window.hsPopulateCommentFormGetExtraMetaDataBeforeSubmit
            });

            window.addEventListener('message', function(event) {
              var origin = event.origin; var data = event.data;
              if ((origin != null && (origin === 'null' || document.location.href.toLowerCase().indexOf(origin.toLowerCase()) === 0)) && data !== null && data.type === 'hsFormCallback' && data.id == 'bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c') {
                if (data.eventName === 'onFormReady') {
                  window.hsPopulateCommentFormOnFormReady({
                    successMessage: "your comment has been received.",
                    target: "#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"
                  });
                } else if (data.eventName === 'onFormSubmitted') {
                  window.hsPopulateCommentFormOnFormSubmitted();
                }
              }
            });
        </script>
      

    <!--[if lte IE 8]>
    <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
    <![endif]-->


  <script data-hs-allowed="true">
      hbspt.forms.create({
          portalId: '1665891',
          formId: 'fc3a461b-474b-4bd2-b409-c41d4ec09d8a',
          formInstanceId: '3711',
          pageId: '123313501283',
          region: 'na1',
          
          pageName: 'Threat Alert: Anatomy of Silentbob’s Cloud Attack',
          
          contentType: 'blog-post',
          
          formsBaseUrl: '/_hcms/forms/',
          
          
          inlineMessage: "Thanks for Subscribing!",
          
          css: '',
          target: '#hs_form_target_module_14538258496742317_3711',
          
          formData: {
            cssClass: 'hs-form stacked'
          }
      });
  </script>

<script src="/hs/hsstatic/AsyncSupport/static-1.122/js/post_listing_asset.js"></script>
<script>
  function hsOnReadyPopulateListingFeed_1248747767_1688968558350() {
    var options = {
      'id': "1248747767-1688968558350",
      'listing_url': "/_hcms/postlisting?blogId=3657573699&maxLinks=5&listingType=popular_all_time&orderByViews=true&hs-expires=1720504558&hs-version=2&hs-signature=AJ2IBuFmq0LhtJ65pkGmtGyn7zuRmqcmWw",
      'include_featured_image': false
    };
    window.hsPopulateListingFeed(options);
  }

  if (document.readyState === "complete" ||
      (document.readyState !== "loading" && !document.documentElement.doScroll)
  ) {
    hsOnReadyPopulateListingFeed_1248747767_1688968558350();
  } else {
    document.addEventListener("DOMContentLoaded", hsOnReadyPopulateListingFeed_1248747767_1688968558350);
  }
</script>

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-migrate/3.3.2/jquery-migrate.min.js"></script>

<!-- Start of HubSpot Analytics Code -->
<script type="text/javascript">
var _hsq = _hsq || [];
_hsq.push(["setContentType", "blog-post"]);
_hsq.push(["setCanonicalUrl", "https:\/\/blog.aquasec.com\/threat-alert-anatomy-of-silentbobs-cloud-attack"]);
_hsq.push(["setPageId", "123313501283"]);
_hsq.push(["setContentMetadata", {
    "contentPageId": 123313501283,
    "legacyPageId": "123313501283",
    "contentFolderId": null,
    "contentGroupId": 3657573699,
    "abTestId": null,
    "languageVariantId": 123313501283,
    "languageCode": "en-us",
    
}]);
</script>

<script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/1665891.js"></script>
<!-- End of HubSpot Analytics Code -->


<script type="text/javascript">
var hsVars = {
    render_id: "81c1fd76-a580-48f6-9808-337c7acbbbb2",
    ticks: 1688968558277,
    page_id: 123313501283,
    
    content_group_id: 3657573699,
    portal_id: 1665891,
    app_hs_base_url: "https://app.hubspot.com",
    cp_hs_base_url: "https://cp.hubspot.com",
    language: "en-us",
    analytics_page_type: "blog-post",
    analytics_page_id: "123313501283",
    category_id: 3,
    folder_id: 0,
    is_hubspot_user: false
}
</script>


<script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.191/js/index.js"></script>

<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5N9T3H" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->




    


    <!-- Generated by the HubSpot Template Builder - template version 1.03 -->

</body></html>